MediaTek fixes several flaws that attackers can exploit without user interaction.

smartphones, security tv, data management, data centers
BEC and romance scams: How to protect your business Watch Now

Taiwanese chip maker MediaTek has addressed four vulnerabilities that could have allowed malicious apps to eavesdrop on Android phone users. 

Three the of vulnerabilities, tracked as CVE-2021-0661, CVE-2021-0662 and CVE-2021-0663, affected MediaTek’s audio digital signal processor (DSP) firmware. It’s a sensitive component that if compromised could allow attackers to spy on user conversations. 

Researchers at Check Point found and reported the flaws to MediaTek, which disclosed and fixed them in October. A fourth issue affects the MediaTek HAL (CVE-2021-0673). It was also fixed in October but will be disclosed in December. 

“A malformed inter-processor message could potentially be used by an attacker to execute and hide malicious code inside the DSP firmware. Since the DSP firmware has access to the audio data flow, an attack on the DSP could potentially be used to eavesdrop on the user,” explains Check Point researcher Slava Makkaveev. 

According to market research firm Counterpoint, MediaTek’s system on chips (SoCs) accounted for 43% of the mobile SoCs shipped in Q2 2021. Its chips are found in high-end smartphones from Xiaomi, Oppo, Realme, Vivo and others. Check Point estimates MediaTek chips are present in about a third of all smartphones.

The vulnerabilities are accessible from the Android user space, meaning a malicious Android app installed on a device could be used for privilege escalation against the MediaTek DSP for eavesdropping.

MediaTek rated CVE-2021-0661, CVE-2021-0662 and CVE-2021-0663 as medium severity heap-based buffer over flaws in DSP. In all three cases, it notes that “user interaction is not needed for exploitation.”

Check Point also discovered a way to use the Android Hardware Abstraction Layer (HAL) as a way to attack MediaTek hardware. 

“While looking for a way to attack the Android HAL, we found several dangerous audio settings implemented by MediaTek for debugging purposes. A third-party Android application can abuse these settings to attack MediaTek Aurisys HAL libraries,” explains Makkaveev.

He adds that device manufacturers don’t bother validating HAL configuration files properly because they are not available to unprivileged users. 

“But in our case, we are in control of the configuration files. The HAL configuration becomes an attack vector. A malformed config file could be used to crash an Aurisys library which could lead to LPE,” writes Makkaveev. 

“To mitigate the described audio configuration issues, MediaTek decided to remove the ability to use the PARAM_FILE command via the AudioManager in the release build of Android,” he adds.

TECH NEWS RELATED

Hyundai Venue 2021 given wireless Apple CarPlay and Android Auto

Hyundai’s most affordable vehicle in Australia, the Venue SUV, has been given a round of updates for 2021 that bring wireless Apple CarPlay and Android Auto to the SUV – at a price

View more: Hyundai Venue 2021 given wireless Apple CarPlay and Android Auto

Google unwraps several new and festive holiday features for Android

Google is closing out 2021 with a variety of new features for Android fans that are aimed at helping people get more out of this holiday season. The search giant rounded up the new collection of Android features in a blog post, and they include some new Android Auto enhancements, ...

View more: Google unwraps several new and festive holiday features for Android

Deals: Hisense A6G 4K Android TVs from $279, Anker Nebula projectors, more

All of today’s best discounts are headlined by a series of Hisense A6G Android TV discounts from $279. That’s alongside a 1-day Anker Nebula projector sale, and the brand’s power strips from $12. Hit the jump for all that and more in the latest 9to5Toys Lunch Break. Hisense A6G ...

View more: Deals: Hisense A6G 4K Android TVs from $279, Anker Nebula projectors, more

Android users may get to ‘change’ couple emojis on WhatsApp

WhatsApp has been rolling out new features continuously through beta updates for quite a while. Now, the platform has reportedly started rolling out skin tone combinations for Android devices. As per a report on WABetaInfo, the new beta update Android smartphone users can now create different skin tone combinations for ...

View more: Android users may get to ‘change’ couple emojis on WhatsApp

Android 12 seems to be causing connectivity issues for some Google Pixel phones including Pixel 6

Google’s Android 12 update is huge and exciting, but it also came with an unorthodox timeline and quite a few more bugs than usual. Now, it’s becoming pretty clear that Android 12 is also causing some connectivity/signal issues with Google Pixel phones, including the newly released Pixel 6 series. ...

View more: Android 12 seems to be causing connectivity issues for some Google Pixel phones including Pixel 6

Bet you didn't know Android 12 could do all this

Your phone can do a lot of new tricks in Google's Android 12. We'll show you four hidden features you might've missed.

View more: Bet you didn't know Android 12 could do all this

Google introduces new Android features that include digital car keys for Galaxy S21 and Pixel 6 phones

Google has announced multiple new Android features which will either be coming out soon or have already been made available. These Android features include the digital car key functionality which was demonstrated by Google on Android 12 at Google I/O in May 2021. The company mentioned in that event that ...

View more: Google introduces new Android features that include digital car keys for Galaxy S21 and Pixel 6 phones

[Update: December] The best affordable Android phones you can buy today

At this point in time, you just don’t need a flagship to get a good everyday Android experience. With initiatives like Android One, Android Go, and Google’s own step into the affordable market, Google has made mid-range and even low-range devices even more usable and enticing than ever. With ...

View more: [Update: December] The best affordable Android phones you can buy today

OnePlus 9R gets latest OxygenOS update with November 2021 Android security patch

How to downgrade from Android 12 to Android 11 on Google Pixel [Video]

BMW Makes Digital Key Available on Android Phones, Starting With Galaxy S21 and Pixel 6

YouTube Premium Users Get Listening Controls on Android, iOS: Report

Google Photos for Android Gets New Memories Collections, Fresh Widget

Android Auto Update to Bring Smart Replies Feature, Digital Car Key, Always-On Music Button, More

New Android Automotive-Based Platform Promises the Digital Cockpit Everybody Wants

Google Updating Android With New Features Including Family Alerts, Digital Car Key Support

These phones may be the first to get the world’s ‘most-powerful’ Android processor, Snapdragon 8 Gen 1

Google brings new features to Photos, Android Auto and more

YouTube Premium perk on Android, iOS adds persistent ‘Listening controls’ for all videos

Switching from Android to iPhone exposed my friends' real feelings

OTHER TECH NEWS

;